16 Sep 2013, 12:04

A man applied for trauma insurance with an insurance company. As part of his application, he provided extensive medical information and authorised the company to collect health information relating to the application and any previous insurance claims.

After receiving the application, the company contacted the man’s doctor and obtained his full medical history for the preceding five years.

The man raised concerns with us that the company had collected more information than was necessary to process his application.

The Health Information Privacy Code

This complaint raised issues under rule 1 of the HIPC.  Rule 1 states that agencies must not collect health information unless the information is necessary for a lawful purpose connected with the function of the agency.

Here, we had to consider whether the collection of five years of full medical notes was necessary for the purpose of processing the man’s insurance application.

The insurance company advised that, in assessing the application, it identified three issues which it wanted to get more information about. 

It was the company’s policy to request a medical report containing five years of medical notes in any case where more than two issues were identified.

Our view

We formed the view that the company should only have requested information relating to the three issues it had identified and that, as a result, it had breached principle 1 of the HIPC by obtaining the man’s full medical history for the previous five years.

Complaint outcome

The company accepted our view and amended its process so that it only asked for information relating to specific conditions identified in applications. It also reached a confidential settlement with the man.

We closed our file on the basis that the complaint had been resolved.

September 2013

Over-collection of medical notes ─ insurance company ­­─ Privacy Act 1993 ─ Health Information Privacy Code 1994, rule 1